Issue

When trying to create ingestion filters for normalized events using string values that include escaped sequences, the filters do not work as expected or fail to match the intended events.

Resolution

When your string value is parsed, the escaped sequences are converted to their actual characters. Therefore, when adding ingestion filters for normalized events, use the converted characters rather than the raw string format.

For example, to filter raw string values from the field labels containing \"system:, use labels contains system: and avoid using the raw escape sequence \" in your filter expressions, as the normalized event representation will not retain this format.

This approach ensures that your filters correctly match the normalized event data.

Cause

This behavior occurs because normalized events do not retain the exact raw string representation from the source. Instead, sequences such as double quote delimiters and escaped characters are parsed and converted to their actual character values. If ingestion filters are created using the exact raw string format (including escape sequences), they will not match the normalized event data, resulting in ineffective filtering.